Practical quantum key distribution: On the security evaluation with inefficient 

single-photon detectors 
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Quantum Key Distribution with the BB84 protocol has been shown to be unconditionally secure 
even using weak coherent pulses instead of single-photon signals. The distances that can be covered 
by these methods are limited due to the loss in the quantum channel (e.g. loss in the optical fiber) 
and in the single-photon counters of the receivers. One can argue that the loss in the detectors 
cannot be changed by an eavesdropper in order to increase the covered distance. Here we show 
that the security analysis of this scenario is not as easy as is commonly assumed, since already 
two-photon processes allow eavesdropping strategies that outperform the known photon-number 
splitting attack. For this reason there is, so far, no satisfactory security analysis available in the 
framework of individual attacks. 

PACS numbers: 



I. INTRODUCTION 

Quantum key distribution (QKD) 0,0 is a technique 
that allows two parties (Alice and Bob) to generate a 
secret key despite the computational and technological 
power of an eavesdropper (Eve) who interferes with the 
signals. Together with the Vernam cipher QKD can 
be used for unconditionally secure data transmission. 

The basic ingredient of any QKD protocol is the distri- 
bution of effective quantum states that can be proved to 
be entangled The first complete scheme for QKD is 
that introduced by Bennett and Brassard in 1984 (BB84 
for short) 0. In a quantum optical implementation of 
this protocol, Alice encodes each random bit into the po- 
larization state of a single-photon. She chooses for her 
encoding one of two mutually unbiased bases, e.g. either 
a linear or a circular polarization basis. On the receiving 
side, Bob measures each photon by selecting at random 
between two polarization analyzers, one for each possible 
basis. Once this phase is completed, Alice and Bob use an 
authenticated public channel to process their correlated 
data in order to obtain a secret key. This last procedure, 
called key distillation^ involves, typically, postselection of 
data, error correction to reconcile the data, and privacy 
amplification to decouple the data from Eve |^. A full 
proof of the security for the whole protocol has been given 
in|iy,|^,|gi. 

After the first demonstration of the feasibility of this 
scheme several long-distance implementations have 
been realized in the last years (see [H El El Ei and 
references therein). However, these practical approaches 
differ in many important aspects from the original the- 
oretical proposal, since that demands technologies that 
are beyond our present experimental capability. Espe- 
cially, the signals emitted by the source, instead of being 
single-photons, are usually weak coherent pulses (WCP) 
with typical average photon numbers of 0.1 or higher. 
These pulses are described by coherent states in the cho- 
sen polarization mode. The quantum channel introduces 



considerable attenuation and errors that affect the signals 
even when Eve is not present. Finally, the detectors em- 
ployed by the receiver have a low detection efficiency and 
are noisy. All these modifications jeopardize the security 
of the protocol, and leads to limitations of rate and dis- 
tance that can be covered by these techniques 15, 1^. 
A positive security proof against all individual particle 
attacks, even with practical signals, has been given in 
[l7| . More recently, a complete proof of the uncondi- 
tional security of this scheme in a realistic setting has 
been achieved E3- This means that, despite practical 
restrictions, with the support of the classical information 
techniques used in the key distillation phase, it is still 
possible to obtain a secure secret key. 

The main limitation of QKD based on WCP arises 
from the fact that some pulses contain more than one 
photon prepared in the same polarization state. Now 
Eve is no longer limited by the no-cloning theorem Ell 
since in these events the signal itself provides her with 
perfect copies of the signal photon. She can perform 
the so called Photon Number Splitting (PNS) attack on 
the multi-photon pulses fT5l|. This attack provides Eve 
with full information about the part of the key gener- 
ated with the multi-photon signals [20l |. without causing 
any disturbance in the signal polarization. Together with 
an optimal eavesdropping attack on the single-photon 
pulses, the PNS attack constitutes Eve's optimal strat- 
egy E^ E^ ■ This result is stated for a conservative def- 
inition of security. In this paradigm, it is commonly as- 
sumed that some flaws in Alice and Bob's devices (e.g. 
the detection efficiency and the dark count probability 
of the detectors), together with the losses in the chan- 
nel, are controlled by Eve, who exploits them to obtain 
maximal information about the shared key. 

In this paper we analyze a different scenario. We im- 
pose constraints on Eve's capabilities, and we are inter- 
ested in the influence that this effect has on her best 
strategy. It is necessary to distinguish this work from 
earlier ones: here we consider a more relaxed definition 
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of security than the one in fvA IT^ . In particular, we 
study the situation where Eve is not able to manipulate 
Alice and Bob's devices at all, but she is limited to act 
exclusively on the quantum channel (See e.g. ||2l|). The 
main motivation to consider this scenario is that from 
a practical point of view it constitutes a reasonable de- 
scription of a realistic situation, where Alice and Bob can 
limit Eve's influence on their apparatus by some counter- 
attack techniques. However, this scenario has not been 
analyzed thoroughly. See Appendix ^ for a discussion 
of the articles by Gilbert and Hamrick. In discussions 
within the scientific community one often hears the hope 
that it is sufficient to consider the PNS attack, but this 
time taking into account the finite detection efficiency 
of Bob's detectors. As a result the loss of a photon in 
the PNS attack reduces the probability to detect the 
remaining signal with the inefficient detectors and less 
multi-photon signals contribute to the final key. This sug- 
gests higher available rates. However, the analysis of this 
scenario is rather subtle, as we will show in this paper. 
Note that a first counter example against that believe 
is contained in |22l | show ing that the unambiguous state 
discrimination attack of |2l| can outperform the adapta- 
tion of the photon-number splitting attack of [la, [l3 in 
the discussed scenario of limited eavesdropping capabil- 
ities. This result applied to signals containing at least 
three photons. We show that already two-photon pro- 
cesses allow for improved eavesdropping in the restricted 
scenario. 

With our article, we point out the difficulty of 
analysing the scenario where Bob's detection efficiency 
cannot be manipulated. For this we refer to the stan- 
dard BB84 protocol, where in the first part only the raw 
bit rate (before the key distillation phase) is monitored 
but not the number of coincidence detections. We con- 
struct two specific eavesdropping strategies which do not 
subtract photons from all the multi-photon pulses, and 
that are more powerful than the PNS attack for some 
relevant regimes of the observed error rate. They are 
based on specifically chosen cloning attacks. The results 
obtained here do not constitute a complete analysis of 
Eve's optimal attack under these restriction, they intro- 
duce a new class of eavesdropping strategies that become 
relevant only in this scenario. Our results clearly show 
that a simple extension of the PNS attack in this sce- 
nario fails to deliver security. In an extended version of 
the protocol, where Alice and Bob can access the com- 
plete photon number statistics of the arriving signal, we 
find that the advantage of the cloning attacks is not as 
evident, but requires a deeper analysis. 

The paper is organized as follows. In Sec. ^ we de- 
scribe in more detail the scenario we consider here. This 
includes the signal states and detection methods em- 
ployed by Alice and Bob together with the technologies 
assumed for Eve. In Sec. IIIII we introduce the complete 
PNS attack, and we analyze a particular process that is 
part of this attack and involves only single-photon sig- 
nals and two-photon signals. In Sec. IIVI we introduce 



two more processes that do not subtract photons from 
the pulses. They are based on cloning machines oper- 
ating only on two-photon pulses. In Sec. |3 these two 
processes are compared with the PNS process. We show 
that, for some relevant regimes of the observed error rate 
in the sifted key, the two processes based on cloning ma- 
chines provide Eve with more information than the PNS 
process. The extended version of the protocol, where Al- 
ice and Bob use the full statistics at their disposal to 
detect Eve, as introduced in Ullllll is briefly consider 
in Sec. IVII Finally, Sec. IVIII concludes the paper with a 
summary. 



II. TOOLBOX FOR ALICE, BOB AND EVE 
A. Alice 

Alice uses WCP signal states that are described by co- 
herent states with a small amplitude a. This corresponds 
to the description of a dimmed laser pulse. We consider 
otherwise a perfect implementation of the signal states. 
The coherent state is given by 

n=0 

with being the creation operator for one of the four 
BB84 polarizations modes. However, usually there is 
no reference phase available outside Alice's lab, and the 
state that Bob and Eve see is not a coherent state 
ja), but the phase-averaged form of the signal, p — 
^ le^^a) (e^^aj d(j). This results in an effective signal 
state which is a mixture of Fock states with a Poisso- 
nian photon- number distribution of mean = |ap. It is 
described by the density matrix 

P = e-^ E (2) 

where the state \n) denotes the Fock state with n photons 
in one of the four BB84 polarization states. 



B. Bob 

We consider that Bob employs the active detection 
setup shown in Fig. ^ It consists of a polarization ana- 
lyzer and a polarization shifter which effectively changes 
the polarization basis of the subsequent measurement. 
The polarization analyzer has two detectors, monitoring 
each one output of a polarizing beam splitter. These 
detectors are characterized by their detection efficiency 
r]det- They can be described by a combination of beam 
splitters of transmittance rjdet and ideal detectors [23 |. 
This model can be simplified further by considering that 
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second step cannot be influenced by Eve, then Alice and 
Bob can infer the channel error rate, that is assumed 
to be due to eavesdropping, from their data and their 
knowledge of the detector performance. This means that 
only this reduced channel error rate needs to be taken 
into account in the privacy amplification step. 



FIG. 1: The polarization shifter allows to change the polar- 
ization basis (+ and x) of the measurement as desired. The 
polarization analyzer consists of a polarizing beam splitter 
(PB) and two ideal detectors. The PB discriminates the two 
orthogonal polarized modes. Detection efficiencies are mod- 
eled by a beam splitter (BS) of transmittance r]dct- 

both detectors are equal. In this situation, it is possi- 
ble to attribute the losses of both detectors to a single- 
loss beam splitter which is located after the transmission 
channel. We assume that the detectors cannot distin- 
guish the number of photons of arrival signals, but they 
provide only two possible outcomes: "click" (at least one 
photon is detected) , and " no click" (no photon is detected 
in the pulse). 

The action of Bob's detection device can be character- 
ized by two POVM, one for each of the two polarization 
basis /3 used in the BB84 protocol P3. Each POVM 
contains four elements ,23]: F!^^^,F^,F^, and F^. The 
outcome of the first operator, i^^^cj corresponds to no 
click in the detectors, the following two POVM opera- 
tors, and , give precisely one detection click (these 
are the desired measurements), and the last one, F^, 
gives rise to both detectors being triggered. If we denote 
by |n,m)^ the state which has n photons in one mode 
and m photons in the orthogonal polarization mode with 
respect to the polarization basis /3, the elements of the 
POVM for this basis are given by 

oo 

FLc = E |n,m)^(n,m|, (3) 

n,m— 

OG 

F^ = E (1-^")^" \n,m)p{n,ml 

oo 

Pi = E i^-nnt \n,m)p{n,m\, 

n,m—0 
oo 

Pd = (l-r7")(l-r) |n,m)^(n,m|, 

n,'tn—Q 

where fj = {1 - rjdet)- 

The detectors show also noise in the form of dark 
counts which are, to a good approximation, independent 
of the signal. Note that the observed errors can be though 
as coming from a two-step process: In the first step the 
signals are changed as they pass Eve's domain in the 
quantum channel, in the second step random noise from 
the detector dark counts is added. If we assume that the 



C. Eve 

As discussed before, we allow Eve to have at her dis- 
posal all technology allowed by Quantum Mechanics, but 
she is limited to use it exclusively on the quantum chan- 
nel. This assumption has two consequences on Eve's 
possible eavesdropping strategies that are vital for the 
security analysis of the next sections. In particular, the 
detection efficiency r]det of Bob's detectors is fixed and 
Eve cannot influence it to obtain extra information [26j |. 
Moreover, since we consider that the noise of the de- 
tectors is independent of the signals entering them, Eve 
cannot make use of the dark counts to increase her infor- 
mation. 



III. THE PNS ATTACK 

In the photon-number splitting attack Eve performs a 
quantum non-demolition measurement of the total num- 
ber of photons of each signal. Whenever she finds that 
a signal contains two or more photons, she deterministi- 
cally takes one photon out. The remaining photons are 
then forwarded to Bob. The photons in Eve's hand will 
reveal its signal polarization to Eve if she waits with her 
measurement until she learns the polarization basis dur- 
ing the key distillation phase. If the loss of the channel is 
strong enough. Eve can block all the single-photon pulses 
and forward only the remaining photons of multi-photon 
signals by a lossless channel; on these signals she can ob- 
tain the whole information. In this situation no secure 
key can be generated. When the loss is not high enough 
for this, then Eve can block only a fraction of the single- 
photon signals, but she can perform some optimal eaves- 
dropping attack on the remaining single-photon pulses. 
Moreover, the whole process can be adapted such that it 
mimics the photon number statistics of a lossy channel 
in typical situations 

When Bob uses a detection setup with ideal detectors, 
or Eve can manipulate their efficiency such as "qdet = 1, 
then the PNS attack constitutes Eve's optimal strategy 
[Tt^ ^8] . The reason is that in this case all signals that 
provide Eve with full information about the key (multi- 
photon pulses) contribute for the raw key. If the detec- 
tors have a detection efficiency rjdet < 1 which Eve cannot 
change, we find that with certain probability the multi- 
photon signals can also contribute to vacuum events in 
the detection process. In this situation, there are regimes 
where the PNS attack is still Eve's optimal eavesdrop- 
ping strategy. This happens when the loss in the channel 
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FIG. 2: Process included in the PNS attack. With probability 
p the pulse contains two photons, Eve takes on photon out of 
it, and she sends the remained one photon to Bob. In the case 
of single-photon signals (probability 1 — p), Eve performs an 
optimal eavesdropping attack (OA) on these pulses. 



FIG. 3: When the pulse contains two photons, Eve employs 
an asymmetric cloning machine which produces three clones. 
She keeps one of the clones, and she sends the other two 
clones to Bob. This occur with probability p. In the case of 
a single-photon pulse (probability 1 — p), she blocks it. 



is sufficiently high such that the number of non- vacuum 
signals expected to arrive at Bob's detection device is 
smaller than the number of multi- photon signals. Here 
we consider the regime vifhere this is not the case. This 
means that Eve needs to compensate the effect of the 
undetected multi-photon signals by increasing the num- 
ber of single-photons signals that is sent to Bob. This 
fact reduces the effectiveness of the PNS attack, and one 
might consider the existence of better strategies for Eve. 

We focus in a particular combination of processes that 
are contained in the extended PNS attack j23|, now 
with imperfect detectors. This combination includes only 
some two-photon processes (with probability p) and some 
one-photon processes (probability 1 — p) from the whole 
eavesdropping strategy. It is represented in Fig. |2] The 
objective is to obtain Eve's maximum information on this 
combination of processes given a particular disturbance 
in the signals. For that, we employ the concept of mutual 
information given by Shannon. Under this definition, it 
has been proven that the optimal attack on single-photon 
signals (OA), i. e. the one that provides Eve maximum 
information about the raw key, coincides with the opti- 
mal individual attack on these signals This opti- 
mal individual attack has been introduced by Fuchs et. 
al. in p9l |. In the symmetric strategy, every qubit sig- 
nal Pa sent by Alice is transformed into the mixed state 
Pb = (1 — 2D) Pa + D1. The disturbance D represents 
the error rate in the sifted key within the chosen signals; 
it is not the overall observed error rate. The connection 
between the two error rates is made in section FV Al For 
a given value of D, Eve's maximum information in this 
attack is given by j23 

lAE^l<i>{2^D{l-D)), (4) 

where the function $ is defined as $(a;) = (1 + a;) log2(l + 
x) + {1 — x)log2(l — x). With this result, now it is 
straightforward to obtain Eve's maximum information in 
the PNS process of Fig. 13 as a function of p and D, 

/^r=P+^$(2/D(T~D)). (5) 



In the next section we introduce two more combination 
of processes that have the same input signals as those of 
Fig. El Then, in Sec.0we show that these new processes 
provide Eve more information than the PNS process, for 
some relevant regimes of D. Moreover, the raw bit rate 
of all the processes can be selected to be the same. This 
means that the substitution of the combination of pro- 
cesses of Fig. 121 by any of the new combinations leads 
to a better eavesdropping strategy in terms of Shannon 
information. 



IV. CLONING ATTACKS 

Another possible eavesdropping alternative for Eve is 
not to reduce the number of photons in the signal as 
in the PNS attack. Instead, she can interact with the 
signals via a photon-number conserving interaction of a 
probe system with the signal photons. Then, after the 
information about the polarization basis is publicly re- 
vealed, Eve can obtain information about the key by 
measuring her probe. In this attack, multi-photon signals 
maintain their photon-number and can therefore con- 
tribute with higher probability to a "click" event. There- 
fore, the fraction of the single-photon signals in this at- 
tack can be decreased. In principle, one would like to 
optimize this type of attack over all possible probes and 
their interaction. However, for the sake of simplicity, 
we restrict our analysis to the case of two particular in- 
teractions representing cloning machines. This is moti- 
vated by the fact that the optimal individual attack for 
single-photon pulses coincides with the optimal phase- 
covariant cloning machine '30'| . These cases already proof 
our point. 

Consider the process represented in Fig. O The in- 
put signals are the same of the process of Fig. El But 
here Eve employs an asymmetric cloning machine for all 
two-photon pulses, while she blocks all the single-photon 
pulses. The parameter p can be selected such that the 
processes of Fig. Eland Fig.|31have the same raw key rate. 
This is done in Sec.0 when we compare them. We con- 
sider two particular asymmetric cloning machines that 
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have been proposed by Aci'n et al. in [3l|. They gener- 
ahze the 1 — > 2 asymmetric cloning machines introduced 
in [22, inil to the 2-^3 case. But before introducing 
these cloning machines and study the performance of the 
process of Fig. |21 for each of them (strategies A and B 
below), we introduce a qubit representation for the two- 
photon pulses emitted by Alice that is used in the next 
subsections. 

The set of two-photon signals employed in the 
BB84 protocol span a three dimensional Hilbert space. 
They can be represented in the symmetric sub- 
space of two-qubits, which contains the signal states 
|Q^®2^|^^«2^|^^«2^ and where |±) = l/\/2(|0) ± 



A. STRATEGY A 

In this attack Eve uses an asymmetric universal cloning 
machine. It takes as an input state two copies of an 
unknown one-qubit state, plus a two-qubit probe. Its 
unitary transformation is defined by 31] 

C/|^)®'|00) = a|Vr'|0+)+/3(a,|^)®'|r) + 

(6) 

where the operator at = Cfc (8) 1 -I- 1 (8) tTfc (for k = x,y, z) 
with the usual Pauli operators (Jk^ the states ji/'^) — 
1/V2(|01) ± |10)), = l/\/2(|00) ± 111)), and + 

8/3^ = 1. In the output, the state of the first two qubits 
belong to the symmetric subspace of two-qubits signals, 
and correspond to the two photons that are sent to Bob. 
The third and fourth qubit constitute the probe that is 
kept by Eve. Next we calculate the information that Eve 
can obtain on Alice's signal as part of a sifted key by 
measuring her probe after the public announcement of 
basis. 

Eve's probe for the signals and |— )'*^, after ap- 

plying the cloning machine, is given by 

p+ = 2D\-+){- + \ + {l- 2D)\^+){^+\, (7) 



and 



p_ = 2D\ + -)(+ - I + (1 - 2D)\^^){ip^l (8) 



respectively, where \ip±) = 1/Vl - 2D(Vl - 4£)|0+) ± 
\/2D\i{)^)) [s^]. Note that in the subspace spanned 
by the two-qubit states | — h) and | H — ) Eve can dis- 
criminate between and perfectly. In the or- 
thogonal subspace spanned by |(/)+) and however, 
the states and p_ present a non-vanishing overlap 
X — {ipj^\ip_) = (1— 6I?)/(1— 21?). In this subspace. Eve's 
maximum information is given by Iae = l/2$(\/l — x^) 
135*, '361 . This means that Eve's maximum information in 
this cloning machine can be written as a function of D 
as 



l-2D ^f ^%D{l-AD) 



1 - 2D 



This expressions holds also for the signals of the other po- 
larization basis, so that it denotes also the total Shannon 
information over all signals. 

Here, and also in the next subsection, we consider that 
double click events are not discard by Bob, but they con- 
tribute to the raw key. Every time Bob obtains a double 
click, he just decides randomly the bit value |^. 



B. STRATEGY B 

The second cloning machine we consider is a phase- 
covariant cloning machine. The unitary transformation 
of this cloning machine is given by [3ll | 

u\v)m = {vwmm + {vwmm. m 

where can be any state in the symmetric 2-qubit 
Hilbert space, and V is the unitary transformation 

y|00)|0) = |000) (11) 
cos7(|010> + |100)) + sin7|001) 



F|V^+)|0) = 

y|ii)|o) = 



^1 + cos2 7 
cos7|110> -f sin7(|011> -I- |101)) 



+ sin 7 



V has the same form as V but interchanging zeros and 
ones on the right hand side of Eq. (|lll) . and < 7 < 
TT. The first two output qubits of this cloning machine 
belong again to the symmetric subspace of two-qubits 
signals and correspond with the two photons which are 
sent to Bob, while the other two qubits constitute Eve's 
probe. 

Following the same argumentation used in strategy A, 
when Ahce sends the signals j-f)*^^, |— f2^, the state 
of Eve's probe is given by p+ or p_, depending on the 
particular state chose by Alice. The states p+ and p^ can 
be written in the basis |+)|+), |+)|-), |-)|+), |-)|-) as 




and 



^-=16 



(9) 



(12) 

respectively, where the coefficients a, 6, c, d, e, and / are 
complicated functions of the parameter 7. The exact ex- 
pression of these coefficients is given in appendix B. To 
calculate Eve's maximum information in this case, we 
can decompose Eve's optimal measurement again in two 
steps. First, she performs a projection measurement onto 
the two orthogonal subspaces spanned by |-t-)|-l-), |— )|— ), 
and ), |— )|+), respectively. This measurement re- 

duces the optimization problem in the whole space, to 
discriminate in each subspace between two equiprobable 
one-qubit states whose density matrices have the same in- 
variants. This problem was solved by Levitin in |35j |. The 
maximum of the mutual information in each subspace is 
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given by / = l/2$(-\/l — r — 2d), where r represents the 
trace of the product of the two states, and d is the deter- 
minant of their density matrices. Using the expressions 
for Eve's maximum information in each subspaces, one 
can obtain Eve's maximum information in the cloning 
machine as a function of the coefficients a,c,d, and /. It 
is given impHcitly by 

/J.^^{(«+c,*(i^)+(.+/,*(i^)}.,i3) 

The disturbance D in this case has the form 

D = -\l ^ =(cos7+ , ^ ) \. 

21 V2(l + cos2 7)^ Vl + sin^T i 

(14) 

Again, due to symmetry with respect to the polarization 
bases, Eq. H13() holds also for the total average Shannon 
information. 



V. PNS ATTACK VERSUS CLONING ATTACKS 

The processes represented in Fig. |5| and in Fig. |3| for 
both cloning machines, gives a symmetric detection pat- 
tern. That is, if Bob measures the signals in the same 
basis chosen by Alice when preparing the states, then the 
probability of obtaining a correct result, a wrong result, 
or a double click is the same for all the signals. Otherwise 
the outcomes corresponding to events with one detection 
click are completely random. For a fair comparison of 
the PNS process and the two cloning processes, we need 
to assure that the raw bit rate in Bob's detectors is the 
same for all of them, pr]det + {^-p)Tldet = VVdeti'^ - Vdet)- 
The left-hand-side of the equation is the number of clicks 
of the PNS process, while the right-hand-side is the num- 
ber of clicks expected in Fig.Ofor both cloning machines. 
This means that p — 1/(2 — jy^et)- If we include this value 
in Eq. jSJ, Eve's maximum information in the PNS pro- 
cess is now written as 

This expression can now be directly compared with 
Eq. jni and Eq. ifT^ . The results are plotted in Fig.0]and 
show regimes of D for which the process based on cloning 
machines provides Eve with more information than the 
PNS process. Note that Eve's maximum information in 
the cloning processes is independent of rjdet- This fact 
comes from the matching condition for the raw bit rate. 
In the PNS process, as expected, when rjdet approaches 
one, also I'^e^ approaches one, since the PNS attack is 
the optimal strategy for Eve's in the case of ideal detec- 
tors. In the phase-covariant cloning machine of strategy 
B, Eve's maximum information never reaches one. The 
reason is that in this particular cloning machine none 
of the two qubits kept by Eve can reach a fidelity one 
with respect to the input state. For low values of Z?, 




D 

FIG. 4: Eve's maximum information versus the disturbance 
D: PNS process for increasing, equally spaced values of r]det 
(solid). The lower line corresponds to rjdet = 0.1, while the 
upper line corresponds to rjdet = 0.9. Universal cloning ma- 
chine. Strategy A (dotted). Phase-covariant cloning machine. 
Strategy B (dashdot). 



this cloning machine gives Eve more information than 
the universal cloning machine of strategy A. From the 
perspective of cloning machines this fact is not surpris- 
ing. The fidelity achievable in the clones depends always 
on the set of allowed input states. As more information 
about the input set is known, better the input states can 
be cloned. The phase covariant cloning machine exploits 
the fact that the input states are equatorial qubits. That 
is, the z component of their Bloch vector is zero. The 
cloning machine of strategy A, however, is designed to 
clone any input qubit with the same fidelity. 



A. OBSERVED ERROR RATE 

In this section we obtain the relationship between the 
disturbance D, which appears in Fig. ^ and the overall 
observed error rate e which is measured in the experi- 
ment. This relationship can be established by an analysis 
of the PNS attack alone, which includes here the optimal 
eavesdropping on single photon signals, as before. 

The probability that a multi-photon signal undergoes 
the PNS attack and then is detected by Bob's detection 
device is given by 

oo 

P™f^ = ^P(n,/.)[l-7y"-i], (16) 

where P(n, /i) = e^'^/x"/n! is the photon-number distri- 
bution of the signal states emitted by Alice, given by 
Eq. |(5J. On the other hand, the expected click rate at 
Bob's side has the form 

Pe.p = 1 - e-'^"'^-"*, (17) 

where rjt is the transmission efficiency of the quantum 
channel. The total loss in dB of the quantum channel is 
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FIG. 5: Observed error rate e versus the disturbance D as a 
function of the loss in dB of the quantum channel. The mean 
photon number is 0.1 and rjdet is 0.2 in this example. 



FIG. 6: The disturbance D as a function of the loss in dB of 
the quantum channel for a fix value of the observed error rate 
e = 0.01. The mean photon number fi is 0.1 and rjdet is 0.2. 



given by —10 log^o Vt- From P^™^'*' and Pexp one can ob- 
tain the probability that single-photon signals contribute 
to the raw key. It is given by 



psingle _ p _ p 
arr exp ^ arr 



multi 



(18) 



The multi-photon pulses does not introduce any error in 
the sifted key. This means that 



psingle 



(19) 



exp 



After substituting the values of Pexp and P^™^^^ into 
Eq. p9|) we finally obtain 



e'^(?7dete^"''-"" + e^(l - r]det) - e^^^-^^-'t^-"'))) 
(l-?7rfet)(l-e^''''=*''*) 



D 



(20) 

This result is illustrated in Fig. [S] for some typical values 
of /X and rjdet- When the loss in the channel increases, the 
observed error rate e for each value of D, as expected, 
decreases. The regime that we consider here corresponds 
with a value of the loss in the channel such as Eve can 
perform a PNS attack on all the multi-photon pulses, 
but Pexp > Pa™"'*'- The first condition requires 



Pexp < rjdetP{l.tJi)+Pc 



>7nulti 
arr i 



(21) 



which provides an upper bound for the transmission effi- 
ciency of the channel 



In 



e^^(e^''-'''i'''-r)det(l+M(l-r)det))) l 
mdet 



(22) 



The second constraint Pexp > P^r''*^ implies a lower 
bound for jjt 



Vt > 



ln[^ 



l — rjdet 



mdet 



(23) 



The meaning of this condition is to guarantee that we 
are not in a regimen where the PNS attack is still Eve's 



optimal strategy. When fi = 0.1 and rjdet — 0.2, we 
obtain for the lower and upper bound 0.17dB and 13.2dB, 
respectively. 

The process based on cloning machines become more 
powerful than the PNS process for lower values e when 
the loss is high. The typical value of the observed error 
rate in the experiments is around 1% if we consider only 
errors in the quantum channel. Therefore, it is interest- 
ing to see how the value of the disturbance D change as 
a function of the loss in the channel when we impose e to 
be 1%. This is illustrated in Fig.|Hl We find, in combi- 
nation with Fig. ^that for losses higher than 12.5dB the 
PNS attack is clearly no longer optimal for these typical 
parameters. 

It is worth to point out that when the losses in the 
channel are small, but still inside the interval imposed 
by Eq. and Eq. , the eavesdropping attack which 
includes the cloning machine can be made more powerful 
than the PNS attack even for a lower value of e than the 
one given in Eq. H20|) . The reason is that, although in 
this situation Eve cannot discard too many single-photon 
pulses, she can re-distribute the errors from the single- 
photon processes into the two-photon processes. To this 
end, she increases her intrusion via the cloning attack on 
the two-photon signals, while she reduces her intrusion 
on the single-photon signals. The exploitation of this 
effect is beyond the scope of this article. 



VI. PHOTON STATISTICS 

In the previous sections we consider the case of the 
standard BB84 protocol, where only the raw bit rate is 
monitored. Here, we briefly discuss the case of the ex- 
tended version of the protocol, where Alice and Bob uses 
the full statistics at their disposal to detect Eve. 

In this scenario, it is straightforward to see that the 
processes of Fig. |21 and Fig. O are not equivalent. The 
PNS process of Fig. |21can never produce a double click 
in Bob's detectors, while the process of Fig. O presents 
always a non-vanishing probability of producing a dou- 
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ble click, independently of the basis that Bob uses for his 
measurement. In fact, the PNS attack never produces 
a double click event when Bob chooses for his measure- 
ment the same basis that Alice used when preparing the 
signals. This means that, in principle, Alice and Bob 
might employ this information to discard any eavesdrop- 
ping strategy that includes the cloning process. How- 
ever, if we consider a real implementation of the proto- 
col, then the situation is not so simple. The reason is 
that the quantum channel is not just lossy, but presents 
a misalignment that introduces errors in the signals [s^ . 
As a result we have that any multi-photon signal has a 
non-zero probability of providing a double click, indepen- 
dently of the basis used by Bob in his measurement. This 
means that Eve must adapt the PNS attack such that 
it reproduces the expected misalignment in the channel. 
Otherwise her attack would be detected. In particular, 
Eve have to introduce some noise in the signals that are 
sent to Bob. In the case of single-photon pulses, this can 
be achieved by sending the signals through a depolarizing 
channel of appropriate parameters. This is precisely the 
effect of the symmetric OA introduced in Sec. lIIII There- 
fore, in these pulses. Eve can always get information from 
this extra noise. The multi-photon pulses, however, gives 
already Eve full information about the key, and she can- 
not exploit the noise she needs to introduce to get more 
information from the single-photon pulses. 

The eavesdropping attack which includes the cloning 
machine can also be adapted such that it reproduces the 
statistics that is expected from a realistic channel. How- 
ever, the question whether it remains more powerful than 
the PNS attack, in this scenario, requires a deeper anal- 
ysis. If we consider the situation where Eve performs a 
PNS attack on the pulses that contain more than two 
photons, and the misalignment in the channel is suffi- 
ciently strong for Eve to get full information from the 
cloning process, then Eve can obtain as much information 
as with the PNS attack. If the misalignment is smaller, 
it seems that the strategy that combines the cloning pro- 
cess with the PNS attack on the remaining multi-photon 
pulses cannot be more powerful than the PNS attack. 
The reason is that the adapted version of the PNS attack 
still contains processes that do not produce any double 
click in Bob's detectors, independently of the basis that 
Bob uses for his measurement. To compensate this ef- 
fect, Eve has to subtract more than one photon from the 
multi-photon pulses, such that she creates processes that 
do not produce double clicks. But now the effectiveness 
of the complete strategy decreases, since the probability 
that the signals which provide Eve full information about 
the key (multi-photon pulses) contribute to the raw key 
decreases. 

Although this fact constitutes a handicap of the eaves- 
dropping strategy that combines the cloning process of 
Fig. with the PNS attack on the rest of the pulses, 
it might be of relative importance in practice. Double 
clicks are rare events that have a very small probabil- 
ity to occur, and the statistical fluctuations in the chan- 



nel, together with the effect of dark counts in Bob's de- 
tectors, makes the detection of Eve's presence not easy. 
Moreover, Eve might also use a mixed strategy that com- 
bines probabilistically the PNS process of Fig.|21and the 
cloning process of Fig. O such as her attack remains still 
more powerful than the PNS attack, while making her 
detection even more difficult. 



VII. CONCLUSION 

In an ideal quantum optical implementation of QKD, 
the sender use single photons to encode the informa- 
tion he transmits. However, current experiments are 
not based on single photon sources, but they are usually 
based on weak coherent pulses (WCP) with a low average 
photon number. Also the detectors employed by the re- 
ceiver are not perfect, but have a low detection efficiency 
and are noisy. This fact, together with the loss in the 
quantum channel, limits the distances that can be cov- 
ered by these methods. In this scenario, it is tempting to 
assume that the loss in the detectors cannot be changed 
by Eve in order to increase the covered distance, while the 
PNS attack, like in the case of a conservative definition of 
security, still constitutes Eve's optimal strategy. In this 
paper we disprove this belief for the case of the standard 
BB84 protocol, where only the raw bit rate (before the 
key distillation phase) is monitored. We constructed two 
specific eavesdropping strategies which include processes 
that do not subtract photons from the pulses, and that 
are more powerful than the PNS attack for some rele- 
vant regimes of the observed error rate. These strategies 
are based on the use of cloning machines. A complete 
analysis of Eve's optimal attack in this situation is still 
missing. In the extended version of the BB84 protocol, 
where Alice and Bob consider the full statistics at their 
disposal, the situation is not as straightforward, and a 
deeper security analysis of this scenario is required. 
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APPENDIX A: RELATED WORK 

An investigation of the scenario where Eve cannot im- 
prove Bob's detectors has been undertaken in [23. We 
believe that this investigation is incomplete so far. The 
authors claim that they have performed an thorough 
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analysis of the situation where Bob's detection efficiency 
cannot manipulated by Alice, together with the restric- 
tion of an 'individual attack'. The authors define 'indi- 
vidual attack' radically different from the usual terminol- 
ogy that is used in the analysis of quantum key distribu- 
tion: they refer to attacks that act on photons individu- 
ally, rather than signals. In practice this means that the 
authors consider optimal attacks on single photon signals, 
which can be implemented by attaching a probe to a sin- 
gle photon, on the other hand, they disallow attaching a 
probe to a two-photon signal, since that would mean to 
interact with the two photons 'coherently'. In fact, they 
state (2^ that such manipulations would be possible only 
when quantum computers become available. 

Of course, it is not unusual to start with some assump- 
tions about restrictions of eavesdropping strategies. For 
example, investigation of an individual attack scenario 
(now referring to the standard definition that relates to 
the signal pulses) has proven to be very powerful since 
the analysis can be performed easily and the resulting pa- 
rameters for privacy amplification and the secure key rate 
corresponds roughly to the subsequently derived values 
that assure security again all attacks, including coherent 
attacks on all signals. From this experience the individ- 
ual attack derives its role as a first step investigation of 
the performance and security analysis of QKD schemes. 
The relationship between individual and coherent attacks 
has been strengthened by the results of Wang . 

In the scenario considered by 2^ we cannot see an 
equivalent role. Another motivation to investigate re- 
stricted scenarios might be the technological challenge of 
different eavesdropping strategies. However, the techno- 
logical difference between attaching a probe to a single 
photon as compared to attaching a probe to a two-photon 
signal is not evident. Clearly, these questions do not in- 
validate the obtained results. However, in our point of 
view, the authors of are inconsistent in describing 
the restrictions of their considered eavesdropping attacks. 
They claim that as a consequence of their restriction they 
need to consider only three types of attacks: 

1. 'Direct attacks' in which Eve can unambiguously 
determine the signal state by a direct measurement 
of the signal. This corresponds to the unambiguous 
state discrimination attack in '2l'|. (Requires at 
least 3 photons.) 

2. 'Indirect attacks', which is precisely the PNS at- 
tack [isl [l6l |fl7j that extract one photon from the 
signal. (Requires at least 2 photons.) 

3. 'Combined attacks' which performs the indirect 
and the direct attack. (Requires therefore at least 
5 photons, and is in the analysis later on shown to 
be an inferior attack.) 

It is left open how these categories emerge and why this 
should be a complete description. As first point of crit- 
icism note that the authors apply for the 'direct attack' 



the results of |2l| that provide the performance for op- 
timal unambiguous state discrimination measurements. 
Can we implement this attack by acting 'individually' on 
photons? A second point of criticism is that to perform 
these attacks Eve needs to know the number of photons 
in each pulse. If one thinks of photons as distinguishable 
particles in a pulse, this might be easy. In a proper quan- 
tum optical description, however, these type of counting 
mechanisms, which do not disturb the signal, will require 
in all experience the same level of interaction between a 
probe and the total signal, as does a general eavesdrop- 
ping attack on the signal. 

So far, we pointed at inconsistencies that do not endan- 
ger the security statement derived in These attacks 
overestimate Eve's capabilities as compared to the initial 
restriction that require 'individual' attacks on photons. 
However, the categorization by Gilbert and Hamrick left 
out possible attacks. Those attacks still operate on 'in- 
dividual' photons only. As an example let us consider a 
two-photon pulse. According to ^] the only attack we 
need to consider is the PNS attack. Instead, let Eve per- 
form a direct measurement on the photons, for example 
in the sense of a minimum-error measurement. Of course, 
the error will be non-zero, since on a two-photon state 
in the BB84 polarizations one cannot perform success- 
fully unambiguous state discrimination. However, opti- 
mal eavesdropping on single-photon signals also results in 
some errors. Another attack would be to separate the two 
photons. Then one can attack probes to both photons 
and try to combine the photons again in Bob's detection 
apparatus, e.g. by sending them to Bob in close sequence 
so that Bob does not notice that they have been sepa- 
rated. Moreover, similar attacks are omitted for higher 
photon numbers. 

These examples question the completeness of the pro- 
posed classification of eavesdropping attacks in 22\ . Note 
that after receiving an advance copy of this manuscript 
the authors of revised their work, acknowledging the 
incompleteness of their analysis. This means that we 
have to treat the classification as an assumption that only 
those three classes are of relevance. This includes the as- 
sumption that for the two-photon pulse the PNS attack 
is optimal in their restricted scenario. As a consequence, 
a security claim for an experimental implementation of 
QKD should not be based on this analysis, as done in 
[2^l39| . since it underestimates Eve's ability. Neverthe- 
less, within the three investigated classes of eavesdrop- 
ping attacks, Gilbert and Hamrick have been able to show 
that the unambiguous state discrimination attack can be 
more effective for Eve than the photon-number splitting 
attack for signals containing three or more photons. 



APPENDIX B: EXPLICIT EXPRESSIONS 

In this appendix we provide the exact expressions for 
the coefficients a, 6, c, d, e, and / that are introduced in 
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Eq. (O, as a function of the angle 7. d - 1 + ^ '^'"^ ^ _|_ cos'^ 7 2 cos 7 

. , 3 + cos(27) l + sin27 + sin' 

4sin7 10sin(27) 

/o~; 7o~T /t; TTTT A — 4sin7(— COS7 + vl + sin 7) 

v/3 + cos(27) ^3 + cos(27)Vl + sm''7 n . -- 



2 COS 7 9/8 1 

— , + cos 7 \ 5— 

Vl + sin' 7 V 1 + cos^ 7 1 + sni^ 7 

1 



V3 + cos(27)v/l + sin'7 



4 sin' 7 ^ — - H ^ , 

'V3 + cos(27) 1 + sin' 77 



1 - 



4 sin' 7 cos' 7 2 cos 7 



^ ^ ^ ^ 2 cos 7 ^ 8sin'7(9 + cos(27)) 3 + cos(27) 1 + sin' 7 Vl + sin'7' 

Vl + sin' 7 -17 + cos(47) and 



+ cos' 7 



1 



1 + cos' 7 1 + sin' 7 



4 sin 7 10sin(27) , . . ■ 2 9 
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1 + sin 7 
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